WAF rule on query strings

asi · September 28, 2023, 4:16pm

I am wanting to block bots from calling add-to-cart on my Woocommerce site. I made this WAF rule: (http.request.uri.query contains “add-to-cart”)

So it blocks queries like /?add-to-cart=864, which I want. And it works great.

However I notice it does let through more complex queries where the query string is at the end of the url like /product-category/subscription/?add-to-cart=30380

That is fine. I like that it ignores those query strings as they are valid. But on my site it is never valid to have that query string as the first thing in the url.

I’m curious why (http.request.uri.query contains “add-to-cart”) does not block /product-category/subscription/?add-to-cart=30380 as there is a query string in the request. Does that rule only block a request if the query is at the beginning of the url?

Laudian · September 28, 2023, 4:28pm

Do you maybe have any other Rules that lead to the second request being allowed?

I have created the following rule: (http.request.uri.query contains "add-to-cart")
This leads to both paths that you mentioned being blocked, check:

https://test.laudian.de/product-category/subscription/?add-to-cart=30380 (blocked)
https://test.laudian.de/?add-to-cart=864 (blocked)
https://test.laudian.de/?whatever  (not blocked)

asi · September 28, 2023, 4:34pm

The only other WAF rule I have is:
(http.host ne "mysite.com" and http.host ne "www.mysite.com")
Block

asi · September 28, 2023, 5:00pm

I found a WAF that works:

(http.request.uri.query contains "add-to-cart" and not http.request.uri.path contains "product-")

Every url on my site that has ?add-to-cart will always start with product-. So I only block the ?add-to-cart query string if the url does not contain product-

system · October 13, 2023, 5:00pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.